[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setpag switch for afslog?

Douglas E. Engert wrote:
> But it has proved to be very handy. Doing a klog -setpag user modifies the
> parent shell. (I know pagsh;klog could do something similar.)
> The one other place this is useful is that no AFS libs need to be linked
> to a daemon which needs to set a pag. This avoids conflicts and allows
> daemons to be built that can support AFS if its available. (PAM can also
> address this if the daemon uses PAM.)

Please excuse my complete lack of knowledge of all things Kerberos and 
AFS related, I'm looking at this from the daemon's point of view 
(specifically, OpenSSH).

 From what I've read, the PAG is encoded as a pair of supplemental gids, 
right?  Is there anything else stored in the kernel per-process related 
to the PAG?

If it's only the GIDs, would it be possible for a daemon to exec some 
kind of helper app, (something like klog -setpag, I guess), which 
returns those GIDs on its stdout for the daemon to add to the user's groups?

If this was enough, it would be workable without hackery to mess with a 
process' parent.

(BTW, I took a look at kpam, and in it setpag() is called the 
pam_setcred() call, and in OpenSSH's case, that *is* called by the 
immediate parent of the user's shell (in session.c).  I don't know about 
other PAM/AFS modules.)

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.